FTC orders Illuminate Education to improve data security after student data breach

Statescoop reports that the Federal Trade Commission has finalized an order against K-12 software vendor Illuminate Education, mandating improvements to its data security measures and prohibiting misrepresentation of its data privacy practices following a 2021 breach that affected over 10 million students.

The FTC's order stems from allegations that Illuminate failed to implement reasonable security controls, contributing to a December 2021 cyberattack. A hacker reportedly used former employee credentials to access sensitive data, including email addresses, dates of birth, student records, and health information of approximately 10.1 million current and former students across multiple states. The FTC also alleged that Illuminate ignored security warnings from 2020 and failed to implement adequate access controls, threat detection, and vulnerability management. Furthermore, the company is accused of not notifying some school districts about the breach in a timely manner, with some notifications delayed by up to two years.

Instead of a monetary penalty, the FTC order requires Illuminate to establish a comprehensive data security program, practice data minimization, limit data collection and retention, delete unnecessary data, and publicly share compliance records. The order also prohibits the company from making false claims about its data privacy and security practices in the future and requires notification to the FTC of any reportable data breaches.

Source: Statescoop